currently I'm working on a DR case, where an employee deleted all of his files from his machine on his last work day. Some of the files I was able to restore but some files are gone. The Employee now thought that the worker might have hidden the files somewhere in the system. I already checked the recent changed files with R-Studio, nothing there. And well, I don't think he was so clever and have changed the date of his machine. But I want to give it a shot.

Is there some kind of a tool, where I can find files in the System (Windows 10) that doesn't belong to the system? I'm sure there is some kind of a database of knows System and Programm files. But do you know how I can get it?

Whats the aim? prosecution? or just getting the files back because they are needed? If prosecution, a proper forensic analyst should do it otherwise evidence won't hold up.

As far as I can tell, it's not illegal to wipe files from the machine you have access to after you got fired - at least in Germany. So prosecution is not a deal. But I think the company may sue the employee for the damage he did and for this task my word as a DR specialist or expert witness will be enough. But I think the main reason is just to get the files back.

HaQue wrote:

If you need files, you could install windows 10 on a VM, patch it to the build the system was, do a file list or hash list, then you have a database.

I don't think that is going to work, because then I need to install all the apps, that have ever been installed on this machine. And so on. And to be honest, I don't really want to waste my time on this. It's one thing to run a program that is going to do all the work for me. But it's another thing to do worthless labour.

HaQue wrote:

was it an SSD?

Yes, and the computer was about half an hour powered on after the files were deleted and after that the Company powered the Notebook on and after they realised that the employee deleted his / their files, they left the notebook running for about 20 minutes.My result was, that about 1% of the files are OK, and 5% of the files are damaged. Everything else is gone.

HaQue wrote:

Looks like the company had poor IT practices though, which will probably hinder your task. R-Studio probably got back all that exists. Especially if the user doesn't appear to be savvy.

I have no idea why here in Germany the IT departments have so bad backup practices. Few days ago, I had from another company a Raid System with 24 Drives, configured in a Raid-5 combination and NO FUCKING BACKUPS! Me as a little DR Company have a Raid-6 on the Servers, a ML6000 Tape library for on site backups and a Cloud Solution for offsite backups. And Tapes in a safe deposit box.

At least I washed the head of the company with the deleted files. This time the employee deleted the files. Next time the notebook get stolen. There is no way, they can survive with that kind of practice.

That kind of IT practice is rampant here as well. I commonly see windows XP on POS stuff as well as no backups, open internet etc.. I used to try and explain but there just isn't enough time to preach that sermon.

This recent job is a good indicator: I help a local shop with a dropbox issue.problem as told to me was they used to be able to access their dropbox at the shop and at home, but now it is gone. I first couldn't find any indication dropbox was installed. so I install and asked for the dropbox username and password. Never needed one they said, just drop files in it. Oh-Kayyy I say, how did you access it? just double click the folder on the desktop. and how did you get them at home? we took the laptop home.. Oh, so it is just this one computer...yes. I find a folder named "DROPBOX" inside the "Accounts" folder on the desktop.

so does this look like the folder and all the contents? YES!! you found it!. fast forward an explanation of dropbox.. wow they say, that sounds pretty handy! yeah...

during the discussion, it was apparent that they also thought the internet at the shop, and the internet at home was somehow different. shop was a business plan which they assumed was on some business internet.They did however pay for Kaspersky anti-virus religiously, which I see mainly with people not confident with computers. It is a strange paradigm.

It hasn't been explicitly mentioned, maybe it's obvious among professional DR technicians, but it might not be for anyone reading this : if it's a SSD, the "Trim" feature is probably the reason why most of the deleted data has been effectively wiped clean.Have you tried opening the volume with an hexadecimal editor, to see roughly how much of it is just zero-filled ? What did you observe in R-Studio, is the file tree complete, including the missing files, although most of them are actually empty, or are those files missing in the file tree as well, meaning their MFT records are gone too ? The second hypothesis would be more surprising.Are the lost files of a common type (JPG, DOC...), or a very specific type ? Either way you could attempt a raw file recovery, but R-Studio does that by default so most likely you already had everything it could find (be sure to select the right file types in the options though, according to what should be expected / what there used to be ; you can also define specific header recognition patterns if some files are of a rare type unknown to R-Studio). You imaged the drive before running R-Studio on the image, right ? Otherwise, the time it took to scan the drive must be added to the power-on times you mentioned (unless there is some trick to disable Trim ?).

Quote:

Is there some kind of a tool, where I can find files in the System (Windows 10) that doesn't belong to the system? I'm sure there is some kind of a database of knows System and Programm files. But do you know how I can get it?

I'm not sure of what you mean exactly here. Are the missing files .exe or .dll or .sys ? Probably not. On my Windows 7 install, these three files types amount for 64% of the total size of the allocated files, according to WinDirStat a simple and free but efficient space visualizer. Then, by decreasing order : .dir, .db, .msi, .tmp, .mv_, .edb, .cab, .dat, then it gets below 1GB / 1%. More common user-generated file types are much more rare within system and softwares files : .jpg and .pdf amount for about 500Mo of each ; .xls, .ods, .cls : ~2MB each ; .doc, .xlsx, .pptx : only 100-200KB each (not a single .docx).

Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum